It didn't require a California law for data-theft victims to be notified after Paris Hilton's phone book hit the Web a week ago. Oh, they knew. Dozens of celebs, ranging from rapper Eminem to tennis babe Anna Kournikova, suffered through hundreds of calls from fans, pranksters and anyone else who found the contents of Hilton's T-Mobile cell phone on the Internet. There were also snapshots, to-do lists and transcripts of Hilton's text-messaging chats. But what caught headlines were the phone numbers of all those poor, beleaguered B-listers, suddenly out there where any nobody with a dialing finger could call them.
C'mon, stop snickering. I'm getting to a serious point here.
See, Hilton thought all that personal data was on her cell phone, tucked safely away in her ... well, wherever she keeps it. But she was wrong. The data's real home was on T-Mobile's servers. Her Sidekick II phone stored the data there automatically, just as it was designed to.
That arrangement means the data won't be lost if the phone is damaged or the batteries die. But it also means that if anyone were to hack into T-Mobile's servers, they'd have access to whatever Hilton put in her phone: pictures, documents, phone numbers, the works.
And T-Mobile's servers have a history of being hacked. In October 2003, intruders got into T-Mobile's customer databases and acquired passwords and other information that, in turn, let the bad guys access customer accounts. Hilton's account information was reportedly compromised at that time.
So was account information for a hotshot U.S. Secret Service agent, Peter Cavicchia. Cavicchia didn't store the numbers of celebrity friends on his phone -- that is, on T-Mobile's servers. He stored material linked to ongoing Secret Service criminal investigations.
According to the New York Daily News, that allowed one or more hackers to access numerous Secret Service documents, including reports, requests for subpoenas and a confidential treaty with Russia.
Cavicchia has since left the Secret Service, which says the security breach didn't compromise any ongoing investigations. And last week 22-year-old Nicholas Jacobsen pleaded guilty to the 2003 T-Mobile break-in. He'll be sentenced in May.
Now think: If a Secret Service agent stored sensitive information on his phone, how many of your users have likely done the same thing? And even if you've warned them to guard their phones carefully, how many have unknowingly stored sensitive company documents or data on a cell phone company's servers, where the only thing standing between that data and hackers is security you have no control over?
You can't protect that information. You don't even know what information is at risk. And your users don't even know it is at risk.
Not snickering now, are you? We're not talking about glitterati inconvenience and embarrassment any more. This is about your job: protecting your company's data.
What can you do? You could ban the use of state-of-the-art cell phones (which won't work). Or you could carefully audit every user's phone account for security (which would add a huge amount of work).
Or you can once again take on the challenge of educating your users. You can explain the risks of storing company data on their phones. And offer guidance about what data is safest to keep on which phones. And encourage them to consult with IT to keep potential problems to a minimum.
Yes, that's still a big job. It will require educating yourself on cell phone risks, too. But if you can get users to understand what's on the line, maybe you can get them to help you keep that data secure instead of fighting you.
After all, you don't really want to end up like Paris Hilton, do you?